You are looking at preliminary documentation for a future release.
Not what you want? See the
current release documentation.
My First Alertedit
This rule helps you test and practice using alerts with Elastic Security as you get set up. It’s not a sign of threat activity.
Rule type: threshold
Rule indices:
- apm--transaction
- auditbeat-*
- endgame-*
- filebeat-*
- logs-*
- packetbeat-*
- traces-apm*
- winlogbeat-*
- -elastic-cloud-logs-
Severity: low
Risk score: 21
Runs every: 24 hours
Searches indices from: now-24h (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 1
References:
Tags:
- Elastic
- Example
- Guided Onboarding
- Network
- APM
- Windows
- Elastic Endgame
Version: 1
Added (Elastic Stack release): 8.6.0
Rule authors: Elastic
Rule license: Elastic License v2
Potential false positivesedit
This rule is not looking for threat activity. Disable the rule if you’re already familiar with alerts.
Investigation guideedit
This is a test alert. This alert does not show threat activity. Elastic created this alert to help you understand how alerts work. For normal rules, the Investigation Guide will help analysts investigate alerts. This alert will show once every 24 hours for each host. It is safe to disable this rule.
Rule queryedit
event.kind:"event"